[liberationtech] Fwd: Android apps used by millions vulnerable to password, e-mail theft

[Nathan of Guardian]

On 10/22/2012 09:30 PM, Yishay Mor wrote:
> Any comments on this?

I would say that it not an Android specific problem, more of an
App-specific problem. One could say that the way in which the Android
API allows you to implement really terrible SSL handling code is a
problem, but I suspect you could also make the same standard mistakes in
Objective-C or .NET. I think the real problem is that there is no
industry standard method to display the status of an SSL or HTTPS
connection to a user, as there is with web browsers.

Beyond the risk of a man-in-the-middle attack, there is no way of
knowing at all if an app is even using SSL or HTTPS, other than a packet
level audit using Wireshark. I haven't seen any standard icon or
notifier on any mobile OS that tells me whether an app is using a secure
connection, whether that connection has been verified, and how I can
review the credentials used in the connection.

I would like to see privacy advocate groups take this issue up with
mobile OS vendors, as it is very much a consumer issue.

For Android developers, there are a few approaches you can take:

1) Moxie has a great post and sample code up here on not using CAs at
all and certificate pinning:
http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

2) You can include your own CA cert store in your app, and write custom
code for checking SSL status and notifying the user:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java

3) Use the MemorizingTrustManager project to prompt the user to verify
each cert they come across. This is a Trust on First Use approach
otherwise known as "ToFu"... mildly annoying but safe!
https://github.com/ge0rg/MemorizingTrustManager


Best,
 Nathan